none
BGB stops working on clients after securing cypher suites RRS feed

  • Question

  • We are locking down our TLS 1.2 cipher suites on our client servers to meet security standards. On the clients that we have locked down, the BGB no longer works and sees the server as offline in the configuration manager console.  As far as I can see all other aspects of the SCCM agent are working.  Deployments, Inventory scanning etc are all fine.  Just seems to be the BGB that stops working  I don't know much about how cipher suites affect the communication of this but can anyone explain to me if there is any way to change which cipher suite the environment is using to communicate this online/offline setting?


    • Edited by LEC_AGT Wednesday, January 22, 2020 11:32 AM
    Wednesday, January 22, 2020 11:18 AM

All replies

  • First note that BGB is far more than just online/offline.

    Next, did you follow the documented guidance for enabling TLS 1.2 in the ConfigMgr environment and review the common issues documentation: https://docs.microsoft.com/en-us/configmgr/core/plan-design/security/enable-tls-1-2 and https://docs.microsoft.com/en-us/configmgr/core/plan-design/security/enable-tls-1-2-troubleshoot?

    Also, have you reviewed the client and server side log files for client notification to validate that the issue truly is TLS related?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, January 22, 2020 1:13 PM
  • Hi Jason,

    Thanks for the response :). Yes I have read those but cant see anything related to this specific issue. 

    The following settings work on the client

    TLSv1.2:

         server selection: enforce server preferences
         3-- (key:  RSA)  RSA_WITH_AES_128_GCM_SHA256
         3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA384
         3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
         3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA256
         3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA

    On the client, if I disable TLS 1.0 & 1.1 and enable 1.2 with RSA_WITH_AES_128_GCM_SHA256 it works. as soon as I take out RSA_WITH_AES_128_GCM_SHA256 it stops working and the server displays as offline in the console. 

    What I'm trying to understand is where does it decide to use RSA_WITH_AES_128_GCM_SHA256 for the BGB handshake? Will this only work when we lock down the TLS & Cipher versions on the SCCM servers to be the same as the client? 

    Thursday, January 23, 2020 4:41 PM
  • That's a good question that I can't answer and may require a support case with Microsoft to answer.

    My guess here is that the system hosting the MP (which is the only system that matters here as that's what handles client notification) is not configured for any of the above ciphers except RSA_WITH_AES_128_GCM_SHA256 (it may have others as well but those aren't on the client either) and thus when the negotiation happens, it only succeeds if the clients also have that cipher available.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, January 23, 2020 5:03 PM
  • Thanks Jason,  I have a support ticket open with Microsoft.  ;)
    Friday, January 24, 2020 11:35 AM